Building a SOAR playbook for user-initiated approval of automation
Security automation can be a complex and intimidating task, especially when first starting out. It is common to have concerns around running automated playbooks safely, and they might even be subject to organizational requirements to employ automation safeguards. Even when you have a high confidence in automated tasks, some SOC processes require human review and decision before the next steps can be enacted.
These factors contribute to why Splunk best practices adopt a human-in-the-loop methodology when developing security automation, especially for new SOAR deployments or automation playbooks. This allows for initial passive steps to be conducted, followed by a user prompt to review and decide on the subsequent course of action. This user prompt can be temporary to debug or build confidence in the automation as it is being developed, or permanent as a review step before allowing response actions to be undertaken automatically.
This functionality can be natively implemented using the prompts function and handled entirely within Splunk SOAR. However, if your organizational directive is to perform investigations within Splunk Enterprise Security, additional steps are required to enable bi-directional approval flow between the two consoles. This pages focuses on advanced approval workflows leveraging both Splunk Enterprise Security and Splunk SOAR.
This content was developed before the convergence of Splunk Enterprise Security and Splunk SOAR. If you have access to Enterprise Security 8.0 or above and have paired natively with SOAR, consider implementing an Enterprise Security Playbook as another approach.
If any of the above sounds like a familiar scenario to you, consider building a Splunk SOAR approval playbook that uses prompts to capture an approval for automation and links the approval back to Splunk Enterprise Security. This type of playbook can be attached to any other playbooks you create and provide the safeguard needed.
This article assumes that you already know how to write SOAR playbooks. If not, see Create playbooks in Splunk SOAR, and then come back to this article.
How to use Splunk software for this use case
Several components are required to implement such a workflow. At a high level, they encompass formatting, prompting, deciding, and acting.
Formatting
First, format a custom message for the approver. This uses a variable (On-Premises/Cloud) to customize the message. See Applying useful SOAR playbook design features for tips on how to create advanced formatting using markdown for the presentation of SOAR messages.
Prompting
Next, display the formatted message and configure a Yes/No input for the approver to select and action.
Deciding
Based on the response to the approval prompt, the playbook can now perform the required actions - in this case approve or deny (Yes/No).
Re-Formatting
In this example, we have select Yes to run the automation and now need to list each Notable ID. Use format block markup with double percentage symbols (%%) to list URLs as an array. The double percent symbols capture each URL and populate it into a list. This can be passed down into the custom code in the next block. Again, the useful playbook design page can be used for advanced formatting tips required for such an example.
Acting
Finally, change the status to approved or denied, and provide a message to end user.
Results
The results are returned to the analyst queue in Splunk Enterprise Security and the user can continue on with what they need to do.
Additional resources
This article is one of many in a series on using SOAR automation to improve your SOC processes. Check out the additional playbook guidance or some of the links below to continue getting more value out of Splunk SOAR.
- Splunk Lantern Article: Applying useful SOAR playbook design features
- Splunk .Conf: Practical SOAR examples from the field
- Splunk .Conf: Practical SOAR examples from the field: Part 2